Your gateway to all our best protection. Access our best apps, features and technologies under just one account. Get antivirus, anti-ransomware, privacy tools, data leak detection, home Wi-Fi monitoring and more.

All the world’s a context: Targeted ads go offline

Targeted ads are all over the Internet nowadays. One minute you’re searching for information about hair loss, the next you’re seeing offers for a remedy. Click the Like button on an article about genetic tests and you’ll see discounts for that kind of test. Advertisements on the Internet reflect the collected knowledge of everything the target — you! — have liked, searched for, and seen online, and this “diary” of your online life paints a pretty candid picture of you, too.

At this point, seeing ads based on your online history is hardly a surprise — at least, not while you’re online. So here’s something new to get used to: targeted ads on the street, in stores, and in our cars.

You’re easy to target

First of all, you should know that you are being counted. The owners of stores and shopping centers want to know how many people walk past a store and how many go inside. Those who pass by are counted by cameras, motion sensors, and floor-pressure sensors. People who stand in check-out lines are counted separately to help stores optimize the number of employees.

Second, your movements are tracked. Your own smartphone is used as a radio beacon. By measuring the signal strength to several access points, marketers can pinpoint your location to within several feet (the best algorithms are accurate to a few dozen inches). In online marketing parlance, it’s called the customer journey — and it’s important data for marketing purposes. Offline you can call it the same — but literally.

Third, salespeople are trying to find out as much as possible about you. General information about a person and their habits and interests can be acquired by studying their purchase history and social-network profile data (we’ll talk later in this article about how they access the profile). Modern image-recognition systems can guess the gender and approximate age of a visitor simply by taking a look at them through a camera lens.

A visitor’s immediate actions can be registered as well. For example, Intel’s AIM Suite technology is capable of determining the direction of a person’s gaze and calculating the number and duration of instances of a person looking at offline (physical) ads.

A crashed advertisement reveals the code of the facial recognition system used by a pizza shop in Oslo… pic.twitter.com/4VJ64j0o1a

How marketers track and sell

One of the most popular and effective methods for tracking potential and existing customers uses wireless (Wi-Fi) networks.

Its technical side is rather intriguing. When searching for available networks, a Wi-Fi gadget broadcasts its own MAC address, which is a unique combination of characters assigned by the manufacturer. (If Wi-Fi is enabled on the device, that search is continuous.) By picking up this MAC address, someone can track the movement of a specific person and find out, for example, which shops they enter and how often they visit the shopping center.

Developers of mobile platforms have made it harder for marketers to use this method. Starting with iOS 8, Apple mobile devices periodically broadcast fake MAC addresses, covering their owners’ tracks. Android 6.0 and above and Windows 10 adopted a similar tactic.

Nevertheless, their approach does not guarantee protection. In 2016, researchers from several French universities showed that it’s possible to identify devices using other service data that a device broadcasts when searching for networks, even without a MAC address. In the course of the experiment, the researchers managed to track almost half of the tested devices.

Here is how the owner of a mobile device can be identified without a MAC address. When a smartphone is searching for a Wi-Fi hotspot, it also broadcasts the SSIDs of already known networks (any networks to which it has been connected). This list alone may tie the phone to a specific person. For example, a gadget owner’s home Wi-Fi network name can be unique if they changed the default name set up by the router manufacturer or the service provider.

As noted in the project mentioned above, modern devices, for reasons of privacy, do not typically rely on this mechanism. However, the technique will still pick up old devices. Also, broadcasting an SSID is the only way to connect to a hidden network. Therefore, cautious users who have hidden their home network names are actually more prone to being tracked in public areas than other people.

None of those tricks are needed, though, if the device actually connects to a network. In that case, the gadget sends its real MAC address to the access point.

You might point out that a MAC address makes a distinction between one device and another, not between users. That’s true. However, when attempting to use free Internet, guests may have to authorize themselves on the network, for example by entering credentials for a social-media account.

Is free Wi-Fi convenient? It is. Does anyone read the Terms of Service to find out how their social media information is being used? Some say such people exist, but have you ever met one? The upshot is, store owners typically receive user profile information, and this data is quite valuable for targeted advertising and other marketing tricks.

What happens to your data?

As an example, let’s take a look at the End User Privacy Policy of Purple, a Wi-Fi data collection and analytics outfit.

The list of data collected includes:

Information from a social media account and the credentials (for example, an e-mail address) used to connect to the network;

A history of websites visited over the wireless network;

The technical specifications of the visitor’s smartphone, including IMEI number and phone number;

The location of the visitor within the shopping center.

Who can use the data collected from visitors, and how?

The owners of the establishment, who can show offers with goods and services as well as study “how the venue is being used and by whom.”

Advertisers, which can receive generalized information about the visitors of the establishment for “consumer analysis.”

Third parties, which, again, can use it for targeted advertising.

In addition, the collected information is bound to change hands if the operator sells the entire business or some of its assets.

In the case of Purple, after 24 months the operator anonymizes collected information by deleting all of the information that identifies a specific person. It is unclear, however, when this period actually starts. If it begins at the time of the last visit, then, by connecting to the network every so often, you may perpetually extend the life of your data on the operator’s servers.

The quiescent enemy

Another surveillance option, judging by the latest news, involves ultrasound, and it’s starting to gain popularity among advertisers. The essence of the technology is the placement of ultrasound beacons. Humans can’t hear the signal, but a smartphone’s microphone can pick it up and deliver it to an app on the phone.

Ultrasound beacons can be physical — placed in shopping centers to track customers’ movements — or virtual. Ultrasound signals added to an audio track of a television program can measure the audience, for example, and ultrasound audio files that a website plays back can register and track visitors across various platforms.

These methods may sound like part of a distant future — or at least like something still in an experimental phase. Alas, it is not so. Ultrasound tracking has been in commercial use for quite some time; we are just unable to hear it.

In April 2017, researchers at the Braunschweig University of Technology revealed that they had discovered more than 200 applications that track users with the help of ultrasound. They also mentioned that as many as three platforms in commercial use have been leveraging this technology: Shopkick, Lisnr, and SilverPush.

Moreover, the researchers also found operational Shopkick ultrasound beacons in several European shopping centers.

Smile: You’re on hidden camera

In November 2016, a smart billboard targeting drivers of certain cars was put into operation in Moscow. The experimental billboard, installed by Synaps Labs, displays an advertisement for a new Jaguar SUV whenever a BMW or Volvo crossover approaches.

To drive the billboard’s operation, a machine-vision system compares the image of an approaching vehicle to the pictures in its database and, taking into account additional factors such as time of day and weather conditions, shows the appropriate advertisement.

Another method (also originating in Australia) was utilized in Porsche billboards, which address not the drivers of cars from competitors but those who drive Porsches. The advertising slogan praises the drivers: “It’s so easy to pick you out in a crowd.”

Tracking vehicle movements is even easier than tracking humans thanks to license plates. Fortunately, advertisers have not devised a way to use them yet.

Make yourself invisible

Online, you can use tools that block tracking and advertisements (for example, the Private Browsing module, which blocks data collection, and the Anti-Banner module in Kaspersky Internet Security 2017, which, you guessed it, gets rid of banner ads). But is there a way to hide from street advertising — which soon enough may address us by name?

If the idea of having your personal data collected over Wi-Fi troubles you, then try taking these steps:

1. Turn off Wi-Fi on your devices when you are not using it.
2. Do not connect to free Wi-Fi hotspots if you can manage without them.
3. Do not use social media accounts for authorization.
4. When connecting to public networks, use a VPN, which protects your connection from prying eyes.
5. Check which applications access the microphone on your smartphone. You can read more about this here.

Still, when targeted outdoor advertising starts to use biometric identification, for example, based on face recognition, protection may require taking more radical measures.

Sign up to receive our headlines in your inbox

*

*

I agree to provide my email address to “AO Kaspersky Lab” to receive information about new posts on the site. I understand that I can withdraw this consent at any time via e-mail by clicking the “unsubscribe” link that I find at the bottom of any e-mail sent to me for the purposes mentioned above.